Re: [webappsec] POLL: Getting CSP 1.1 to LCWD from Glenn Adams on 2013-10-04 (public-webappsec@w3.org from October 2013)

From: Glenn Adams <glenn@skynav.com>
Date: Fri, 4 Oct 2013 13:38:57 -0600
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACQ=j+czUZQB9U7cm58qSRADyqraNJor-5jVkS5o+CMn5NAQEQ@mail.gmail.com>

On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com> wrote:

> As discussed on our last conference call and in a previous email, we are
> behind schedule on our deliverables and I would like to propose that we
> close the feature set for CSP 1.1.
>
> This is a formal poll to establish consensus.  Workgroup members, please
> take a few minutes to respond to these 6 questions to the list.
>
> 1: We should close the feature set of CSP 1.1?  Agree / Disagree
>
> 2. We should include the application of 'unsafe-eval' semantics to the
> CSSOM in the core CSP 1.1 feature set? Agree / Disagree
>
> 3. We should include the suborigin sandboxing proposal in the core CSP 1.1
> feature set? Agree / Disagree
>
> 4. We should include the "Session Origin Security" policy in the core CSP
> 1.1 feature set?  Agree / Disagree
>
> 5. We should include the "cookie-scope" policy in the core CSP 1.1 feature
> set?  Agree / Disagree
>
> Finally, we have a Formal Objection that has been registered by the Cox
> Communication representative Glenn Adams to reverse the currently specified
> behavior of allowing user-defined scripts (including from extensions).
>  Glenn has declined to raise his suggestions on this list after several
> invitations to do so, but he gave a high-level set of proposals attached to
> this bug:
>
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357
>
> 6. We should make changes to core CSP 1.1 behavior (including possibly
> specifying a new directive about user script) as requested by Bug 23357?
>  Agree / Disagree
>

Based on discussions with Cory in this ML, you need to rephrase this
question to read:

<blockquote>
We should remove the following text from Section 3.3 Processing Model:

"Enforcing a CSP policy should not interfere with the operation of
user-supplied scripts such as third-party user-agent add-ons and JavaScript
bookmarklets."
</blockquote>

There is no change in core CSP 1.1 behavior here since the above language
takes the form of a recommendation on UA vendors, and not a mandatory
behavior.


>
>
> Please reply to this list so your views can be "on the record".  This poll
> closes at the start of our next regularly scheduled teleconference on
> October 8th at 2pm  United States Pacific Time.
>
> Thank you,
>
> Brad Hill
> co-chair, WebAppSec WG
>

Received on Friday, 4 October 2013 19:39:50 UTC